Introduction
This is lucky number thirteen in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.
Chapter Thirteen: Delver of the Arcane Archives builds on two previous adventures... erm, articles! Yes, articles.
- Symantec Insider Tip: Successful Submissions! Little-known knowledge of how to get suspicious files to Symantec Security Response so that defenses can be built.
- A guide for those seeking the way of enlightenment... Does Symantec Detect This: An Illustrated Guide to Public Hash Submission.
This article illustrates a little-known shortcut that can defeat the mustache-twirling villains who never cease trying to infect your network through your own mail infrastructure. Read on, if you dare!
Scene One: A Bustling Souk, 1936. No, Scratch That: A Busy MS Exchange, 2016.
An intrpid admin studies a mysterious, unexpected package that has come his way. The parcel's subject sure sounds important, piquing curiousity and demanding immediate attention. But what is this exotic attachment sent from a far-off land, this "REGISTRO PAGO OPORTUNO 17-05-2016.tbz"? What is this arcane .tbz format (or be it .cab or .ace)? Is that a technology commonplace to an alien culture? Legend (that our hero knows to be based in fact) speaks of an advanced tribe of penguin people who regularly use .bzip and .bz2 and .tgz. Was this new business from them?
Ever cautious, the admin tips his fedora back on his head and submits this mail attachment to his trusted security advisors at Symantec. With their worldwide presence and knowledge of secretive files, they should be able to determine if this correspondence holds the promise of fabulous wealth- or if is this the dangerous ruse of spies or saboteurs!
Digging in the Wrong Place
Within minutes Symantec has replied: that mysterious attachment is an.... Archive. No details are revealed about its contents.
Back at square one, the admin reaches into his desk drawer. With teeth curled into a snarl he reefs the cork from his bottle of Islay single malt Scotch. Archive. He already knew that. What is inside the arcane compression format of this mysterious container, that is still the question.
Should he call up Technical Support and open a case, asking for a deeper analaysis of the file? He could, but that may take hours.
Soothed by a couple of blasts of Bowmore, he suddenly recalls that it was written:
Of course! It's only expected that submissions in a non-Zip or RAR format would not be explored! He was asking the question to the wrong place!
Open Source Intel to the Rescue!
The admin submits the strange "REGISTRO PAGO OPORTUNO 17-05-2016.tbz" file to the gurus at virustotal.com. They mull over the file for a moment, then (with a click upon the "File detail" tab) reveal the secret within:
Within the obscure archive waited an executable- never a good sign. "Exes sent by mail. I hate those guys." Glad that he had not been foolhardy and opened the .tbz himself, the admin spun open a new browser window. He knew just what to do!
A Montage Set to Exciting Chase Music
That SHA256 was the key. Symantec needed the payload, and he had been the first to learn that VT had it. All that the admin needed to do was put the two together using Public Hash Submission and then wait.
Within minutes of providing that SHA256 hash, an alert popped up that a Tracking Number had arrived in his personal mailbox. Everything was rolling now. Before he even had time to jump under a descending stone door or run from a giant boulder, another message sprang forward.
Malice, it was everywhere. An admin can't even dine on an exotic banquet for lunch without a dozen malware distributors trying to sneak viruses and trojans and ransomware past the defenses. Luckily there were helpful parties who could help him safely delve into arcane archive formats and determine if there was any danger from what mysterious contents lay within.
You Have Chosen Wisely
Our hero revisited the sage words that guide admins well as they carry on their endless defense: Support Perspective: W97M.Downloader Battle Plan.
Mail security products also have the ability to create policies that prevent the delivery of attachments with multiple extensions like ".doc.exe" or similar. Also be sure to block .jar attachments and block .js attachments- ... block uncommon incoming archive formats, like .gz, .bz2, .ace and .cab. These are unlikely to contain legitimate content.
A few clicks and all within his domain was once again secure. No doubt the villains would soon come back with a new approach, with ever-higher stakes...
One last pull n the bottle of Bowmore and it was time ot throw his vintage jacket over his shoulder and ride off into the sunset. Thank you, friendly OSINT and thank you Symantec!
Conclusion
Many thanks for reading! And for putting up with my Indiana Jones rip-off. The concept sounded more amusing than it actually turned out. Please don't drink Scotch at your workplace here in the real world, and please leave comments and feedback below.